Please do add "pipe and search" after rex command, like below |search event="Fail-Alert" state="**"|table state entity resource event description minutes year month you have started searching for event="Fail Alert" without any pipe and also it is good to have all search before first pipe itself .. ... View more

You do have space before minutes,remove those extra spaces.. it should work if your events are same.. ... View more

Try this if you want to have deep analysis based on year,month,date,time etc, | rex field=_raw "at\s+(?<time>(?<month>\w+)\s(?<date>\d+)\s(?<year>\d+)\s(?<hour>\d+)\S(?<minutes>\d*)(?<clock_set>\w\w))\swith" It will create time ,month,date,year,hour,minutes,clock_set fields time as Aug 1 2019 8:01AM , month as Aug, date as 1 , year as 2019 and so on.. Thought this search is costly as it produces more fields, it can be used for analysis/reports etc.. ... View more

Hi Please check if this helps.. I have added below line to your file to make sure we proceess both output you are looking for.. 19:30:06 C:\Pelibib\MBX\20190618193001754_MA07.MBX processed and deleted Add index and sourcetype before mentioned query.. | search _raw=*MA07* | rex field=_raw "\WMBX\W(?\d+)_MA07.MBX\s(?.*)and deleted" | rex field=_raw "\.TXT_(?\d+)\s(?.*)and deleted" | stats values(status) as status by file_name | eval status=mvjoin(status,",") | search status!=*sended | eval Result=if(like(status, "%processed ,sended%"), "File_received", "File_stuck_somewhere") output would look like file_name status Result 20190618193001754 processed File_stuck_somewhere 20190618193001755 processed ,sended File_received ... View more

Are you looking something like this ? If so just add your index and sourcetype in first line.. ... View more

| stats sum(ACCESS_REVIEW_COMPLETE) as Total count as count1 | eval result=(Total/count1) Check if this helps ... View more